Re: Routing for a Virtual Server in Checkpoint
- From: "Jean-François Gobin" <jf-no-spam-for-me@xxxxxxxxxx>
- Date: Tue, 19 Sep 2006 18:20:31 +0200
Well ...
Good question.
Virtual server has two modes : HTTP redirect and NAT.
In HTTP redirect, basically, you just send a "move to:" directive to the
client, which in turn makes a new connection.
In the NAT scenario, I guess that one of the mode (pre or post nat) may
work, but without certainty. I've never changed the NAT mode of our firewall
from the "heroic days" when we were used to 4.1 ...
I remember that the justification for this new mode was that "it suppresses
the need for explicit routes". So, i guess it's something I have to try. I
can't promise I'll do it for the end of september, but I think I may have
enough time during october. If it can wait ...
Regards,
Jean-François Gobin
"Will" <DELETE_westes@xxxxxxxxxxxxxxxxxx> a écrit dans le message de news:
5e2dncTbXpPc3pPYnZ2dnUVZ_o-dnZ2d@xxxxxxxxxxxxxxx
"Jean-François Gobin" <jf-no-spam-for-me@xxxxxxxxxx> wrote in message
news:450d1610$0$428$4d4efb8e@xxxxxxxxxxxxxxxxxxxxxx
In fact it depends if you're doing prenat or postnat. One of them doesn't
require routes at all, but beware ... you may need to review your entire
rulebase (prenat is doing the NAT or de-NAT on the input interface
...postnat on the output interface). That's what they call "client side
natting" or "server side natting".
What's the general opinion on which form of NAT is more secure?
The routes you have to insert in the OS are only to determine "to whichno
interface should this packet be sent". Quite logical if you think that
the
address in question may be connected to the outside interface or even to
interface (case of a "pure virtual network").
Right, but my question (still unanswered) is how do I do those routes when
I
have one external IP, with three target ports that I want to map to three
different target computers on three different DMZ networks? I can't just
route one static IP to one static IP, and I can't route the one IP to one
DMZ network. That will deliver the packet to the incorrect DMZ
interface
for two of the three target hosts.
"Automatic ARP" is there only to ensure that the NAT address can beresolved
to a physical (ie ethernet) address. Without that, you'll have to inserthide)
proxy ("permanent public" in term of BSD) arp for each nat (static or
you can have ... or insert host routes in your outside router.
I'm not having any problems with the arp part of this.
--
Will
.
- References:
- Routing for a Virtual Server in Checkpoint
- From: Will
- Re: Routing for a Virtual Server in Checkpoint
- From: larstr
- Re: Routing for a Virtual Server in Checkpoint
- From: Greg Hennessy
- Re: Routing for a Virtual Server in Checkpoint
- From: Jean-François Gobin
- Re: Routing for a Virtual Server in Checkpoint
- From: Will
- Routing for a Virtual Server in Checkpoint
- Prev by Date: Re: New "worst nightmare" for network admins
- Next by Date: Secondary addresses and the Netscreen-100
- Previous by thread: Re: Routing for a Virtual Server in Checkpoint
- Next by thread: Re: Routing for a Virtual Server in Checkpoint
- Index(es):
Relevant Pages
|
